In April of 2016, Mossack Fonseca, a law firm in Panama suffered a large data breach resulting from a cyberattack. Known as the Panama Papers, it uncovered the offshore finance information of many billionaires. This resulted in serious investigations which will undoubtedly cause legal consequences for those involved.
Although this high-profile case involved some dubious financial practices, the fact remains that had the law firm practiced better information security protocols, the breach could have been prevented or limited. Unfortunately, nearly a year later, there are still some areas that need to be addressed.
First, you must engage key stakeholders to bring the right people to the table. Key stakeholders can include: Information Technology, Records Management, Privacy, Security, Human Resources, Finance, etc.
Next, you must understand how people currently use information in your organization. Some of the ways to gather this include: interviews, surveys and possibly even informational lunch and learn sessions. In our experience, the latter has worked well because users are in a relaxed setting and are willing to share their ideas and experiences.
However, much will depend on the culture of the organization to decide what will work best; a hybrid approach will mostly likely prove to be most successful. In the end the choice is yours.
Once you have been successful and have brought the right people to the table, the next step is to decide if the current business process actually works. In other words, is your current process meeting the goals of the business? For example, suppose during one of the interviews with your HR department, you find out SharePoint is used to transfer data to other counsel. Why? Because it’s easier to share information using a repository like SharePoint rather than by email, due to file size restrictions and limits.
However, you also find out that each user operates a bit differently, and as a result, duplicate data is scattered across multiple sites without the ability to apply governance policies. This process must be dealt with immediately and the existing process will need to be amended.
At this point, the firm must decide on a process that is aligned with the business goals. Please keep in mind, the new process should not make it harder for users to do their jobs. If it does, your efforts will fail.
After you have engaged with the right people, evaluated processes, and spent time refining the processes, you must leverage technology to ensure the long-term success of the new strategy.
Organizations have three options:
- Utilize existing technology
- Purchase new technology
- A hybrid approach – combination of existing and new technology
When trying to decide which option to choose, it’s important to be sure that the selected technology continues to align with your business process and overall goals.
Here are some crucial questions to ask:
1. How does the solution manage information in varying locations (e.g. file shares, SharePoint, Email)?
Managing information thoroughly seems so logical, but it is one of the most commonly overlooked aspects of information governance or records management. Below are three primary approaches that vendors take:
- manage information in place utilizing current systems
- migrate information to one system that also serves as the management software
- migrate information to one system and use third party software to manage it.
A is an appealing approach because it is extremely flexible and can fit into nearly all future environments, systems and upgrades. Plus, it often is associated with higher user adoption because users continue with their current processes and retention/disposition is automated behind the scenes.
B often requires significant design, implementation and cost. Similarly, it often leaves information that resides outside the central repository unmanaged.
C is a similar approach to B, but it can potentially leverage current technology. Still, it has the shortcomings of requiring storage in specific locations and leaves other information unmanaged.
2. Are data migrations, upgrades or changes in the systems required now or in the near future?
It is important to understand what is required in terms of moving information from one location to another. The migration process can consume extensive time, cost and risk.
Further, when a system is upgraded, some software vendors need to adjust the file plan accordingly so it can be applied to records.
3. How does the solution account for litigation holds?
Clearly, there needs to be a mechanism to place information on hold. However, once the initial hold is created, it is vital that the solution automatically adds newly created information to an existing hold(s).
4. How does the solution affect end user processes?
An information governance solution is only as good as the adoption rate. End user adoption is directly affected by system changes, cumbersome processes and confusing instructions. Fully understand the process end users will need to adopt. New technology and/or processes may be needed. Yet, the new technology should not drive the new process. The new technology should complement the process.
5. Can the solution control access to sensitive information?
Increasingly important is the ability to govern access to sensitive information. The solution should be able to regulate access, identify locations, automatically protect and dispose of sensitive information appropriately.
6. Can records be locked, remaining immutable until disposition?
Some records should be kept unchanged during their lifecycle. Understand if this functionality exists and if information needs to be moved to a specific location to accomplish this goal.
7. What does the solution cost in total?
Obviously the solution has to fit into budgets. Take the time to understand the total cost of a solution. The total cost of ownership (TCO) could include software, hardware, third party systems, services (installation, configuration, assessments and migrations). When comparing multiple solutions, TCO can be tough to compare. Dig the vendors for true and total cost of their information governance solution.
8. Does the solution integrate with my other business systems?
Don’t ignore your other systems when designing your information governance practice. Each of these system is not only a potential location for redundant, obsolete and trivial information (ROT), they could also be the key to triggering the right actions to determine security, privacy or retention policies.
9. What is the time and resource commitment to implement, support, maintain and upgrade?
The time spent on designing, implementing and maintaining a records management solution is time away from other areas. With that in mind, fully understand how a new solution impacts time commitment.
Time is money. Not only does the time commitment equal opportunity cost, it can equal actual hard, quantifiable dollars when being charged by a vendor. Know what to expect before committing to an overly complicated project.
10. Does the solution create custom reports, audit trails and defensible disposition documentation?
A solution with plenty of customization options can be handy because future reporting needs may change and it is difficult to know how. Regulations may alter the way you want to track or execute records management and disposition. If called into question, the assurance of sound documentation outlining the retention/disposition process can be critical.
If law firms follow this three-step approach (People, Process, Technology) their information security environment will no longer be considered a black hole, but a secure ecosystem that is trusted by everyone in the organization.
By Kevin Bley